At least 5% of all the Monero cryptocurrency currently in circulation has been mined using malware, and about 2% of the total daily hashrate comes from devices infected with cryptocurrency-mining malware.

These numbers are the results of in-depth research of the coin-mining malware scene by security researchers from Palo Alto Networks.

The report, released yesterday, has analyzed 629,126 malware samples that have been detected as part of coin-mining operations. The research didn't analyze in-browser miners (cryptojackers), but only traditional malware families that infected desktops and servers since June last year, when there was a significant spike in coin-mining operations.

Monero is the most popular cryptocoin

According to researchers, 84% of all malware samples they've detected were focused on mining for the Monero cryptocurrency, by far the most popular coin among malware groups.

Most popular coins among coinminer campaigns

Because Monero-based coin-mining malware must embed in its source code the mining pool and Monero address through which the malware operates and collects ill-gotten funds, researchers have been able to track most of the money these groups generated on infected devices.

By querying nine mining pools (which allow third-parties to query their payment stats) with the 2,341 Monero addresses researchers found embedded in the 531,6663 malware samples that focused on mining Monero, they were able to determine the amount of funds these groups have made in the past year.

Malware groups made over $108 million worth of Monero

According to Palo Alto Networks researchers, criminal groups have mined an approximate total of 798,613.33 Monero coins (XMR) using malware on infected devices.

That's over $108 million in US currency, just from coin-mining operations alone. This sum also represents around 5% of all the Monero currently in circulation —15,962,350 XMR.

Furthermore, since mining pools also reveal a miner's hash rate —the speed at which a miner completes an operation— researchers were also able to determine the amount of Monero coin-mining botnets have been generating per day.

Researchers say that during the past year, infected devices were responsible for 19,503,823.54 hashes/second, which is roughly 2% of the entire hashing power of the Monero network.

"The total hashrate of roughly 19MH/s would result in approximately $30,443 per day based on today’s current exchange rates and network difficulty," researchers said. "Similarly, the top three hashrates will mine approximately $2,737, $2,022 and $1,596 per day, respectively."

Most addresses hold little funds

But despite some of the bigger actors making mountains of cash per day, not all the Monero addresses found in malware samples made any money.

According to researchers, only 1,278 of the 2,341 addresses they found —roughly 55%— had collected more than 0.01 XMR (~$2.20) in their accounts.

Researchers believe this is "likely due to the malware being unsuccessful, or the attacker using a mining pool other than the ones [we] queried."

Furthermore, of the 55% addresses that did contain funds, 244 earned 100 XMR ($13,500) or more, 99 wallets mined over 1,000 XMR ($135,000), and 16 wallets have obtained over 10,000 XMR ($1.35 million).

Distribution of Monero mined to wallets

Somewhat inaccurate results, but the best we can get

These numbers are as accurate as they can be, as the Monero cryptocurrency was designed to prevent external third-parties from viewing the balance of an address without the private key.

Querying the mining pools is the only way to determine the amount of money sent to a specific wallet, which in reality, is the best and most optimum way of evaluating a coin-mining botnet's profits and efficiency.

Nonetheless, the Palo Alto Networks report only included data from nine mining pools only, meaning a large chunk of operational insight remains concealed.

This is a known issue with the Monero landscape, where around 80% of the total hashrate can't be accounted for...

...and where most malware operators prefer to use off-the-grid mining pools or set up their own mining pool as a way to prevent the operators of legitimate services from blocking the withdrawal of their funds following legal complaints.

Related Articles:

HNS Evolves From IoT to Cross-Platform Botnet

Coinhive Raking In Over $250,000 per Month From In-Browser Cryptomining

Rakhni Ransomware Adds Coinminer Component

First-Ever Person Sentenced for Malicious Use of Coinhive Library

Clipboard Hijacker Malware Monitors 2.3 Million Bitcoin Addresses